CVE-2014-7144

medium

Description

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

References

https://bugs.launchpad.net/python-keystoneclient/+bug/1353315

http://www.ubuntu.com/usn/USN-2705-1

http://www.securityfocus.com/bid/69864

http://www.openwall.com/lists/oss-security/2014/09/25/51

http://secunia.com/advisories/62709

http://rhn.redhat.com/errata/RHSA-2015-0020.html

http://rhn.redhat.com/errata/RHSA-2014-1784.html

http://rhn.redhat.com/errata/RHSA-2014-1783.html

Details

Source: Mitre, NVD

Published: 2014-10-02

Updated: 2016-11-28

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Severity: Medium